If this is your first visit, be sure to
check out the Forum Rules by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Sheriff's Site has security problems...

My local news paper has started printing a "Busted" section, which I really enjoy, that shows the photos of recently busted people from in and around the area that I live. At the bottom of the small print is an URL that, when accessed, will take you to the county sheriff's web site where you can request extra patrols for your neighbor hood, tips on how to start a neighbor watch, and most importantly Inmate Information such as first_name, last_name, charges, bond, cell No. and photo.

When accessing inmate information you have the choice of "Search by Name", "Search by Date," or click one of the letters that span the top of the site of which clicking on one of these letters lists every inmate who's last name corresponds to the letter, no big deal. What is interesting is that choosing one of the other options will present to you a text input box(s) that will execute (server side) just about anything you ask it to if you ask really nice and say SIR and, on a side note, calling it OFFICER helps a lot too and get's it motivated even though it's just a turn-key and doesn't have a gun.... Yet.

Now, when I said execute anything, I understand that I left the "execute" possibilities wide open and I left it wide open on purpose. There is very little that will not be executed by the server including SQL command's and ALL <script></script>'s. <--- if the forum sanitized that it's suppost ot be "script /script" with tags. The server also has 17 open ports so I wonder if it has a firewall at all.

I'm sure about now your thinking "A state/county ran site that seems like it wants to be hacked has got to be a trap." Remember that I live where people are so lazy that instead of saying "Good Morning" they just say "mornin'" and never even adjust their eyes on you so it's no wonder that cyber security could be less than standard and this is really not a state/county ran site, more like some good'ole boys just trying to please the county's demanding public as the site is only accessible as an IP on a non-default port (8088) and No DN.

No, No, really I called the sheriff's office and spoke to a completely incompetent "officer" that, after explaining the situation, replied with "what is it that you want me to do sir?" ... "I dont know, maybe tell some'who or at least connect me with some'who that maintains the site that is connected to your booking database that is "vulnerable," I mean, that is in trouble and could cause the shit to hit the fan. I dunno if it's right, just to me that is, being able to change why Bubba is in jail again and, furthermore, possibly release him if I chose . Whatta you think? I could be wrong. I guess." ... "No one'ssss is in the office sir, you'll hav'ffa call baaack on muuuunday." "OK" ... click.

Ok, so I begin to rethink my position in all of this and to make sure all my information is in order I go back to the small printed URL that I found on the "BUSTED" page. As it turnes out and no surprise, I'm wrong about (at least) one thing. The "******* County Sheriff's Office" website is not affiliated with the site that is hosting the inmate information. WTF?

Even though the "non affiliated site" is embedded as a link in the county's site they have a disclaimer stating that the content is not guaranteed and is not affiliated with the *.. County's Site in the HTML as a comment (as of several days ago they have a pop up warning stating that the site is not affiliated. Why embed the link to a point that if you didnt look at the status bar and/or the URL address in the address bar you would have no idea that you left the site... down to the same logo's, headers, footers and boarders and duplicate /images dir, even the ones that didn't get used? ... I dunno.

UPDATE: it's been a month since the above happened and nothing has changed after sending a very detailed e-mail to the sites admin (actually, The company that maintains the sheriffs's site) explaining and giving "Cut and Paste" examples and explaining how easy it would be to correct the problems. I did get an e-mail back from the admin stating that he/she would look into it. A month later, nothing has changed.

So, Should I continue "harr..ass" the admin about the security and the fact that user input is not being sanitized at all or should I just walk away from the whole situation. Furthermore, should I release this into the wild? Would it be immoral and/or illegal? It's just a matter of time before someone who knows how to and has the balls to DROP TABLE or worse stumbles across this site.

Just let it go. You tried to do the right thing. Don't release it in the wild, that will just cause you trouble. A general rule of thumb I have is "don't mess with people who can lock you up and charge you with all kinds of things". It's a simple rule, but one that seems to work out for the best. If someone with evil intent does come across this site, it's not your problem. You tried, they didn't care. When it hits the local papers, and makes headlines, then they might care.

One thing I just thought of...if your local paper has a "technology" writer, you may try and contact that person. Other than that, move on to something else.

And hope that noone figures out your sherrif's office and cracks the system for you... because now you'll be #1 on the list if it hits the fan.

I guess if the smart reader were to look at all of my post (very few) they could figure out which county I currently live in. The county in question is actually a neighbor county so that leaves things a little more vague.

As far as being #1 on the list, That would suck!

Someone is eventually going to crack the system. It's inevitable.
I know very little about networks and cracking security and I can manipulate this site. This site has no security that's visible so the next person with knowledge and ill intentions will severely pwn them. Hopefully they will either patch the system or say "He told us so ... ".

Just went back through all my posts and deleted residential info (for the most part)